System and Method of Anomaly Detection with Categorical Attributes

1. A method comprising: detecting a plurality of events related to the activities of users within a security system wherein the events are defined by a plurality of attributes, wherein at least one attribute is categorical and wherein a data distance between events is a function of event attributes; evaluating the detected events using a density based anomaly detection method, f(r), where r is a size of a neighborhood around a data point representing the event; comparing a value of the evaluated expression with a margin threshold value (msg(r)); and setting an alarm upon detecting that the value exceeds the threshold value.

2. The method as in claim 1 wherein the function of the event attributes further comprises associating an event's access point identifier (ID) to a predetermined one of a plurality of security zones within the secured area wherein the distance between events is determined based on spatial arrangement of the security zones and wherein said distance is used to establish notion of neighborhood around a data point representing the event.

3. The method as in claim 1 wherein the function of the event attributes further comprises associating the event's user ID to a predetermined one of a plurality of user roles within the secured area, wherein the distance between events is determined based on similarity of the associated user roles and wherein said distance is used to establish notion of a neighborhood around a data point representing the event.

4. The method as in claim 1 wherein the function of the event attributes further comprises associating the event's user ID to a predetermined one of a plurality of security zones within the secured area, wherein the distance between events is determined based on differences between the associated security zones and wherein said distance is used to establish notion of a neighborhood around a data point representing the event.

5. The method as in claim 1 wherein the function further comprises continuous data values including at least one of a time of entry into the secured area, a frequency of entry into the secured area per time period, a duration of stay within the secured area after each entry, a frequency of travel from one security zone to another within the secured area and a duration of non-entry into the secured area.

6. The method as in claim 5 further comprising constructing a continuous attribute distribution for each continuous data value function associated with each categorical value of a user.

7. The method as in claim 6 further comprising defining a similarity measure using similarity measures including at least Kullback-Leibler divergence or mutual information defined for two distributions.

8. The method as in claim 7 further comprising inverting the similarity into a distance measurement and using it to establish notion of a neighborhood around a data point representing the event.

9. An apparatus comprising: an event processor that detects a plurality of events related to the activities of users within a security system wherein the events are defined by a plurality of attributes, wherein at least one attribute is categorical and wherein a data distance between events is a function of event attributes; an evaluation processor that evaluates the detected events using a density based anomaly detection method, f(r), where r is a size of a neighborhood around a data point representing the event; a comparison processor that compares a value of the evaluated expression with a margin threshold value (msg(r)); and an alarm processor that sets an alarm upon detecting that the value exceeds the threshold value.

10. The apparatus as in claim 9 wherein the event processor and function of the event attributes further comprises a processor that associates an event's access point identifier (ID) to a predetermined one of a plurality of security zones within the secured area wherein the distance between events is determined based on spatial arrangement of the security zones and wherein said distance is used to establish notion of neighborhood around a data point representing the event.

11. The apparatus as in claim 9 wherein the event processor and function of the event attributes further comprises a processor that associates the event's user ID to a predetermined one of a plurality of user roles within the secured area, wherein the distance between events is determined based on similarity of the associated user roles and wherein said distance is used to establish notion of a neighborhood around a data point representing the event.

12. The method as in claim 9 wherein the event processor and function of the event attributes further comprises a processor that associates the event's user ID to a predetermined one of a plurality of security zones within the secured area, wherein the distance between events is determined based on differences between the associated security zones and wherein said distance is used to establish notion of a neighborhood around a data point representing the event.

13. The apparatus as in claim 9 wherein the function further comprises continuous data values including at least one of a time of entry into the secured area, a frequency of entry into the secured area per time period, a duration of stay within the secured area after each entry, a frequency of travel from one security zone to another within the secured area and a duration of non-entry into the secured area.

14. The apparatus as in claim 13 further comprising constructing a continuous attribute distribution for each continuous data value function associated with each categorical value of a user.

15. The apparatus as in claim 14 further comprising defining a similarity measure using similarity measures including at least Kullback-Leibler divergence or mutual information defined for two distributions.

16. The apparatus as in claim 15 further comprising inverting the similarity into a distance measurement and using it to establish notion of a neighborhood around a data point representing the event.

17. An apparatus comprising: a security system that detects security events within a secured area; a processor that detects events related to the activities of users within a security system wherein the events are defined by a plurality of attributes, wherein at least one attribute is categorical and wherein a data distance between events is a function of event attributes; a processor that evaluates the detected events using a density based anomaly detection method, f(r), where r is a size of a neighborhood around a data point representing the event; a processor that compares a value of the evaluated expression with a margin threshold value (msg(r)); and a processor that sets an alarm upon detecting that the value exceeds the threshold value.

18. The apparatus as in claim 17 wherein the function further comprises continuous data values including at least one of a time of entry into the secured area, a frequency of entry into the secured area per time period, a duration of stay within the secured area after each entry, a frequency of travel from one security zone to another within the secured area and a duration of non-entry into the secured area.

19. The apparatus as in claim 17 wherein the function further comprises continuous data values including at least one of a time of entry into the secured area, a frequency of entry into the secured area per time period, a duration of stay within the secured area after each entry, a frequency of travel from one security zone to another within the secured area and a duration of non-entry into the secured area.

20. The apparatus as in claim 17 wherein the event processor and function of the event attributes further comprises a processor that associates the event's user ID to a predetermined one of a plurality of user roles within the secured area, wherein the distance between events is determined based on similarity of the associated user roles and wherein said distance is used to establish notion of a neighborhood around a data point representing the event.